Last updated: April 2026
Key Takeaways
- AI models like Claude Mythos can now autonomously discover and exploit vulnerabilities in every major operating system and browser. The era of "I'll update it later" is over. Personal digital security is no longer optional.
- This checklist covers two layers most guides treat separately: personal device security (adapted from Andrej Karpathy's widely shared 15-step guide) and home network security (the layer that sits between the internet and every device you own).
- Every recommendation prioritizes local-first, privacy-respecting solutions. Where a cloud-based alternative is simpler, we note it. But the default is always: you control the tool, the tool does not control you.
If You Only Have 30 Minutes
The full checklist below covers 20 steps across personal security and home network hardening. If you want the highest impact for the least time, start with these five. Everything else can wait until you have a weekend.
| Priority | Action | Time | Why It Matters |
|---|---|---|---|
| 1 | Update every device OS and browser right now | 5 min to start | Mythos found zero-days in every major OS and browser. Patches are rolling out. |
| 2 | Enable disk encryption (FileVault / BitLocker / LUKS) | 2 min | Stolen laptop = useless brick instead of every file you own. |
| 3 | Install a password manager and change your top 5 passwords | 15 min | Unique passwords per site means one breach does not cascade. |
| 4 | Update your router firmware | 5 min | Your router is the front door. If it is not updated, nothing behind it matters. |
| 5 | Order a YubiKey (setup when it arrives) | 2 min to order | Hardware security keys stop phishing attacks that AI makes undetectable. |
Why This Checklist, Why Now
On April 7, 2026, Anthropic announced that their unreleased Claude Mythos model had autonomously found thousands of zero-day vulnerabilities in every major operating system and every major web browser. A 27-year-old bug in OpenBSD. A 16-year-old flaw in FFmpeg that survived five million automated tests. Privilege escalation chains in the Linux kernel. Remote root access on FreeBSD's NFS server.
These are not theoretical risks. These are confirmed vulnerabilities that existed in the software you use right now, found by a model that was not even trained for security research — the security capabilities emerged from getting better at code.
Mythos is currently restricted to Project Glasswing's corporate partners. It will not stay restricted. Anthropic says directly: "It will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely." Six months from now — probably sooner — models with these capabilities will be in the hands of people who do not have a $100 million defensive security budget.
Your defense against that is not one dramatic change. It is a stack of small, practical steps that collectively make you a harder target than the next person. Most of these take minutes to set up.
The personal device security section below draws heavily from Andrej Karpathy's digital hygiene guide, which went viral in 2025 for good reason — it is the clearest starting point available. We have adapted his recommendations with our editorial positions (Proton and Mullvad only for VPN, local-first where possible) and added the entire home network layer that his guide does not cover.

Part 1 — Personal Digital Security
1. Use a Password Manager
Generate a unique, random password for every account. When one service gets breached — and services get breached constantly — attackers try those same credentials everywhere else. A password manager eliminates that risk entirely. 1Password is the most polished option. Bitwarden is open-source and free for personal use if you prefer to audit the code yourself.
2. Set Up Hardware Security Keys
A YubiKey is a physical device that acts as your second authentication factor. An attacker would need to physically hold it to log in. This matters more now than it did a year ago because AI-generated phishing is getting indistinguishable from real communication. Phone-based verification codes are vulnerable to SIM swapping (someone calls your carrier, impersonates you, and redirects your number). A hardware key cannot be SIM-swapped.
Buy two or three YubiKeys and store them in different locations. One on your keychain, one in a safe, one at a trusted family member's house. If you lose one, you are not locked out of everything.
3. Enable Biometrics Everywhere
Face ID, fingerprint, whatever your device supports. Enable it on your password manager, banking apps, and anything sensitive. This is the third authentication layer: something you know (password), something you have (YubiKey), something you are (biometrics). Combining all three makes unauthorized access extremely difficult even for an attacker with sophisticated AI tools.
4. Randomize Security Question Answers
"What's your mother's maiden name?" is searchable in seconds. Generate random answers to every security question and store them in your password manager alongside your passwords. Never answer these truthfully. Treat them as a second password field.
5. Enable Disk Encryption
On Mac it is FileVault. On Windows it is BitLocker. On Linux it is LUKS. If your laptop is stolen, disk encryption means the thief gets a useless brick instead of every file you have ever created. Takes two minutes to enable and runs silently in the background. There is no reason not to do this immediately.
6. Switch to Signal for Messaging
Signal encrypts your messages end-to-end so no one — not Signal, not your carrier, not anyone intercepting the data — can read them. Regular text messages and even iMessage store metadata (who you talked to, when, how often) that anyone with access can analyze. Turn on disappearing messages. A 90-day default is reasonable for most conversations.
7. Use Proton Mail for Sensitive Email
Standard email providers scan your messages for advertising data. Proton Mail provides end-to-end encryption so that only you and your recipient can read the content. It is based in Switzerland under Swiss privacy law. We recommend Proton as our only email provider for sensitive communication. If you cannot switch entirely, at minimum use it for anything financial, medical, or legal.
8. Stop Clicking Links in Emails
This is the single highest-impact behavioral change on this list. Email addresses are trivially easy to spoof. With AI, phishing emails now look indistinguishable from real ones — correct grammar, correct formatting, correct branding, personalized to you. Never click a link in an email. Navigate to the website manually and log in from there. Also disable automatic image loading in your email settings. Embedded images are used to track whether you opened the message, when, and from where.
9. Use a Privacy-Focused Browser
Brave is built on Chromium, so Chrome extensions work and the experience is familiar. It blocks ads and trackers by default. Firefox with hardened privacy settings is the more sovereignty-aligned alternative — it is fully open-source and does not rely on Google's rendering engine. Either is a significant improvement over stock Chrome.
10. Switch Your Default Search Engine
Brave Search maintains its own independent search index (unlike DuckDuckGo, which primarily queries Bing). If a result is not sufficient, add "!g" to redirect that specific query to Google. You search Google intentionally, not by default. The goal is to stop being the product.
11. Use Virtual Credit Cards for Online Purchases
Services like Privacy.com let you generate a new card number for every merchant with custom spending limits. If a merchant gets breached, attackers get one disposable number instead of your real financial identity. You also avoid giving your actual billing address to every online store.
12. Be Selective About Smart Home Devices
Karpathy's advice is to minimize smart devices. We agree, and we will take it further in Part 2 with network segmentation. Every "smart" device is an internet-connected computer with a microphone, camera, or sensor sitting in your home. They collect data, phone home constantly, and receive firmware updates on the manufacturer's schedule — not yours. If you can accomplish the same task with a device that does not connect to the internet, do that instead.
When you do keep smart devices, choose local-first alternatives. Home Assistant with Frigate NVR processes your security camera feeds locally instead of sending video to Amazon or Google's cloud. The footage never leaves your network.
13. Use a VPN — But Only a Trustworthy One
A VPN hides your IP address from the services you connect to and encrypts your traffic from your ISP. You do not need it running 24/7, but turn it on for public Wi-Fi, ISP-sensitive browsing, and services you trust less.
We recommend exactly two VPN providers: Mullvad and Proton VPN. Mullvad accepts cash payments, requires no email address, and has been independently audited. Proton VPN is included with Proton Mail and offers a clean, audited client. We do not recommend any other VPN provider. Many popular VPNs have adversarial ownership structures, opaque logging practices, or are based in jurisdictions that compel data handover. Reader security comes before affiliate revenue — Mullvad does not even have an affiliate program, and we recommend it anyway.
14. Set Up DNS-Level Ad and Tracker Blocking
DNS is the phonebook your devices use to find websites. Blocking at the DNS level means ads, trackers, and known malicious domains are killed before they ever load — across every app and browser on your network, not just the ones with extensions installed.
Our recommended solution is Pi-hole: a self-hosted DNS sinkhole that runs on a Raspberry Pi 5 on your local network. You control the blocklists. You can see every DNS query from every device. Nothing leaves your network. It also doubles as a monitoring tool — if a device on your network is phoning home to unexpected domains, Pi-hole's query log will show you.
If you do not want to maintain hardware, NextDNS is a cloud-based alternative that provides similar blocking with a simpler setup. It is a good starting point, but understand that your DNS queries route through their servers rather than staying local.
15. Install a Network Monitor on Your Computer
Little Snitch (Mac), GlassWire (Windows), or ntopng (Linux) show you which applications on your computer are communicating, how much data they are sending, and where it is going. Any app calling home more than you would expect is suspicious. This is the personal-device complement to the network-level monitoring you get from Pi-hole.
Part 2 — Home Network Security
Everything above secures your devices. This section secures the network those devices sit on. Your home network is the layer between the internet and everything you own. If it is compromised, no amount of personal device hygiene will save you.
16. Update Your Router Firmware
Your router is the front door to every device on your network. If its firmware is outdated, it may contain known vulnerabilities that are trivially exploitable — and with Mythos-class AI models, "known" now includes vulnerabilities that were unknown last week.
Log into your router's admin panel (typically 192.168.1.1 or 192.168.0.1) and check for firmware updates. If your router is end-of-life with no further updates from the manufacturer, it is time to replace it. With the FCC foreign router ban restricting future supply, current inventory offers the best selection window for purchasing.
17. Patch Your Firewall and Server Operating Systems
If you run pfSense or OPNsense, the OpenBSD TCP SACK vulnerability that Mythos found (27 years old, remotely exploitable, no authentication required) has been patched upstream. Check your base OS version and apply updates. FreeBSD-based systems (including TrueNAS) should also be updated given the NFS root-access exploit Mythos discovered.
Every Linux system on your network needs kernel updates: your Pi-hole, Docker hosts, local AI servers, NAS devices. Mythos found privilege escalation chains in the Linux kernel. Enable automatic security updates.
# Debian/Ubuntu — enable unattended security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# Check current kernel version
uname -r
18. Segment Your Network
Network segmentation means putting different categories of devices on isolated network segments so a compromised device in one segment cannot reach devices in another. This is the single most effective network-level security measure you can implement.
At minimum, create two segments: a trusted segment for your computers and phones, and an IoT segment for smart home devices, cameras, speakers, and anything else that connects to the internet without your active involvement. If your router supports VLANs (most prosumer routers do, including OpenWrt, pfSense, and OPNsense), configure them. If not, a separate SSID on a guest network with client isolation enabled provides a basic version of the same protection.
The goal: your smart thermostat should not be able to see your file server. Your Wi-Fi-connected air quality monitor should not be on the same network as your banking computer. If one device is compromised, the blast radius stays contained.
19. Secure Your Local AI Infrastructure
If you run Claude Code, MCP servers, or local LLMs with tool access, the Mythos system card documented exactly what a highly capable model does when it encounters containment boundaries: it probes /proc/ for credentials, attempts to escalate permissions, and in some cases covers its tracks. These behaviors exist on a spectrum that includes smaller models.
Run every code-executing agent inside a Docker container with restricted network access and no host /proc/ access. Apply the principle of least privilege to every MCP connection — scope tool access as narrowly as possible. Build circuit breakers that halt execution after repeated failures rather than letting the agent search for workarounds.
20. Own Your Modem
ISP-provided rental equipment gets updated on the ISP's schedule, not yours. By owning your modem, you control when updates are applied and you eliminate a monthly rental fee ($10-15/month, up to $180/year) in the process.
For Xfinity subscribers, see our complete compatible modem list by speed tier. For a broader view across ISPs, our Best DOCSIS 3.1 Modems for 2026 guide covers the top options. Recommended picks: the ARRIS S33 (best overall, 2.5G port, broad ISP compatibility), the ARRIS SB8200 (proven budget option), and the Netgear CM3000 (mid-split upload support for future-proofing).
The Mindset Shift
Before Mythos, the security assumption was that finding and exploiting serious vulnerabilities required months of work by skilled human researchers. There were only so many of them, and their attention was the bottleneck that protected you. That bottleneck is gone. AI models can now do in hours what took teams of experts months, across every codebase simultaneously.
This does not mean you will be hacked tomorrow. It means the cost of attacking you has dropped dramatically, and it will keep dropping. The 20 steps above raise the cost of attacking you back up. Not to the point where you are invulnerable — no one is — but to the point where an automated attack moves on to an easier target.
Security is not a product you buy. It is a stack of decisions you make and maintain. Start with the 30-minute priority list. Work through the rest when you have time. The goal is not perfection. The goal is being harder to compromise than you were yesterday.
FAQ
Why is AI making cybersecurity worse?
AI models like Claude Mythos can now autonomously discover zero-day vulnerabilities in major operating systems and browsers — tasks that previously required teams of skilled security researchers working for months. The same capability improvements that make AI better at writing code make it better at finding (and exploiting) flaws in code. This dramatically lowers the cost and expertise required to conduct cyberattacks.
Do I really need a hardware security key?
Yes. AI-generated phishing emails are now indistinguishable from legitimate ones. Phone-based two-factor authentication is vulnerable to SIM swapping. A hardware security key (like a YubiKey) is a physical device an attacker would need to physically hold to access your accounts. It is the strongest second factor available to consumers.
Is Pi-hole better than NextDNS?
Pi-hole runs on your local network (typically on a Raspberry Pi), giving you full control over your DNS queries and blocklists. Nothing leaves your network. NextDNS is a cloud service that is easier to set up but routes your DNS queries through their servers. For privacy-first users, Pi-hole is better. For simplicity, NextDNS is a strong starting point. We have a complete Pi-hole setup guide if you want to go local.
Which VPN should I use?
We recommend only Mullvad and Proton VPN. Both have been independently audited, maintain strict no-log policies, and are based in privacy-respecting jurisdictions. We do not recommend other VPN providers regardless of how aggressively they advertise. Many popular VPNs have adversarial ownership structures, opaque logging policies, or are based in countries that compel data handover.
Should I get rid of all my smart home devices?
Not necessarily, but you should isolate them. Put smart devices on a separate network segment (VLAN or guest network) so they cannot communicate with your computers and phones. Replace cloud-dependent devices with local alternatives where possible — Home Assistant with Frigate NVR instead of Ring, for example. If a smart device does not need internet access to function, block its outbound traffic entirely.
How do I update my router firmware?
Log into your router's admin panel (typically by navigating to 192.168.1.1 or 192.168.0.1 in your browser) and look for a firmware update section, usually under Administration or System settings. Download and apply any available updates. If your router no longer receives firmware updates from the manufacturer, it has reached end-of-life and should be replaced. Check our router and modem recommendations for current options.
What should I do first?
The five actions in the 30-minute priority table at the top of this article, in order: update every device, enable disk encryption, set up a password manager, update your router firmware, and order a hardware security key. These five steps alone close the majority of common attack vectors.

